It's always surprised me that more people don't do what I did and take a 4-letter word they can remember easily and use the telephone-pad number matches for the letters, since IIRC ATMs have the letters printed on the keys too...

My ATM PIN used to be the first four digits of the product of the first six prime numbers in Pi divided by Planck's constant, but thieves guessed that one too easily and I lost everything. Now my PIN just spells the word "dick."

If you have absolutely no knowledge, the best way to pick a PIN is to simply roll 4d10, picking beforehand which die will correspond to which number. The best way to attack that would be to systematically try every combination at once, but in a random order (which is, over time, the way most likely to require the smallest number of rolls). But banks know this, and can detect it, so I clearly cannot choose the wine in front of you.

But most people don't carry 4d10, or even 1d10. So they don't pick randomly (they might think they're picking randomly, but study after study has shown that the human brain really sucks at picking random numbers). Hackers know this, and so they look for popular PINs and, when those run out, they look for information about the person -birthdays and anniversaries, for example- and try them. It doesn't work all the time, but you'll defeat the cracking checks much more often than you would with the random-draw method, so I clearly cannot choose the wine in front of me.

But we also know this works, and so since hackers aren't using a truly-random approach, we don't have to either. We can narrow the number of PINs we use, retain almost all of the strength of randomness, while adding strength by specifically countering these attacks. Just make a list of the 10 or so most common PINs, then add your "personal PINs" (important birthdays and anniversaries, and also these dates spelled backwards). You'll probably have a list of 30-odd PINs by the time you're done with this. Then roll your 4d10, and in the unlikely event that a number on your list comes up, just re-roll. You're not going to exclude enough possible pins to reduce your PIN's entropy significantly -for a four digit PIN, you'd have to exclude some 500 PINs to reduce its entropy by even one bit- but you'll ensure that the "smart" crackers will have to go through at least as many attempts as your list is long before having any chance of finding your PIN, and the crack-detector will catch them before that. So I clearly cannot choose the wine in front of you.

But, of course, if this catches on, then the most common PINs will change. New lists will have to be drawn up: your important dates might not, but other popular PINs will. So if your PIN falls on the new list -not terribly likely, but it could happen- you'll have to change it. This is a pain, so I clearly cannot choose the wine in front of me.